Access to confidential and proprietary data is often performed using electronic access or security systems. Electronic security systems are typically employed to access a network, network resources (e.g., servers, modems, electronic mailboxes, etc.), software applications running on servers, portions of the Internet or World Wide Web pages, databases, files or other electronic data. Electronic security systems are particularly important with individual or networked computers that store confidential information.
Other electronic security systems have been developed to authenticate human users, generally with the use of personal passwords or personal identification numbers (PIN). For example, users or subscribers to a telecommunications service, such as voicemail, enter their PINs using touch-tone numeric input (dual tone multi-frequency (DTMF) input). Subscribers can increase the number of digits in their PINs to increase security. For example, employing a 12-digit PIN provides greater security than a 3-digit PIN. Electronic mail (email) systems similarly employ PINs. The PINs may be automatically changed on a periodic basis for increased security. For example, a system administrator for the email system may require that subscribers periodically change their PIN (e.g., change their PIN monthly).
These electronic security systems, however, provide only a limited level of security, since they rely on authenticating a user account number and password or PIN. An unauthorized user may obtain an authorized user's account number and PIN and thereby inappropriately access the system or service. Another drawback with such static PIN security systems is that if long PINs are used, or PINs are changed frequently, users may have difficulty remembering such PINs.
One important requirement for electronic security systems is that they provide a high level of security. For example, some systems perform user authentication, rather than simply performing machine or system authentication. In other words, such an electronic access system authenticates individuals or users who may access the system, rather than a system that has been preprogrammed with access information (e.g., running a “script” to permit access). Such an electronic security system, to maintain security, must ensure that only authorized users are allowed access to the system.
Certain personal authentication systems are available, such as fingerprint identifiers, retinal scan devices, voice fingerprint or sound pattern identifiers, and the like. Such personal authentication systems, however, are typically very expensive and inapplicable to many environments. For example, such fingerprint or retinal scan identification devices are difficult or expensive to employ in a large network of computers, including a network where users may access the network from various geographic locations (e.g., via standard phone lines using a modem and laptop computer). Furthermore, such systems would be inapplicable for use over a voice telephone network, since sophisticated and expensive equipment are required to obtain fingerprint and retinal scan data. Such expensive equipment is simply lacking at nearly all telephone locations to which a subscriber may wish to gain access to the system.
Other security systems employ lower cost devices, such as identification (ID) card readers. Such identification systems require use of a physical ID card having a code or even an algorithm that generates a code at predetermined intervals (e.g., every ten seconds). A server computer (or “server”) stores the same code or employs the same algorithm to generate the same code at the same predetermined interval. Thus, a user must possess the card to obtain authentication by the server. However, if the card is lost or damaged, the user cannot be authenticated. Additionally, unauthorized users could simply obtain the card and thereby gain access to the system. Moreover, such a system is applicable only with suitable card readers. Therefore, such a security system would again be inapplicable for use with standard telecommunications equipment, such as a public telephone.
Another known security system employs a software solution known as “Softkey.” The Softkey system provides a challenge to a user provided by a server, to which the user must respond, typically by means of a client computer (or “client”) coupled to the server. When a user initially logs onto the server, the server, for example, selects 8 words from a table of words, where each word has 4 to 8 characters. The user must then type in each of the eight words. As a result, the user must type 24 to 64 characters in a response to the server's challenge. The server generates the same 8 words, and compares the 8 words it receives from the client to those locally generated. If the two match, then the user is authenticated.
One problem with the Softkey system is that the user must correctly enter the 8 words, requiring up to 64 keystrokes. Such a response by the user can be time-consuming and tedious for nontouch typists. Additionally, the Softkey system suffers from additional limitations which make it not sufficiently robust for use in protecting highly confidential information on a computer network or in other suitable environments. While the Softkey system requires less sophisticated hardware than, for example, fingerprint readers, retinal scan identification devices, and ID cards employing random code generators, the user must nevertheless use a laptop computer which executes a security software routine. Again, a user could not gain access to, for example, a voicemail box system using a public telephone under the Softkey system.
In the drawings, identical reference numbers identify identical or substantially similar elements or steps. To easily identify the discussion of any particular element, the most significant digit or digits in the reference number refer to the Figure number in which that element is first introduced (e.g., step 304 is first introduced and discussed with respect to FIG. 3).
The headings provided herein are for convenience only, and do not affect the scope or meaning of the claimed invention.